This past week has been eventful, but if you've kept up with Facebook-related news in the past 8 years, then this won't be all too surprising. Buckle in for a quick recap.
In 2013, 6 million Facebook users' information was exposed (phone numbers/ email addresses).
May 2018, 14 million users' private posts were shared publicly.
September 2018, ~50 million users' accounts were breached, giving hackers access to most of your information, as well as apps you've logged into using Facebook.
March 2019, ~600 million users' passwords were stored as plaintext files (i.e. not encrypted/ not private— the equivalent of writing down your password on a sticky note and sticking that on your desk); this includes Instagram users too.
April 2019, 540 million users' accounts were publicly accessible.
Also April 2019, 1.5 million users' email addresses were used by Facebook to find out who you communicate with on a personal level (even if they aren't on Facebook). Believe it or not... this was not even the same data breach.
September 2019, 419 million users' data (including your unique Facebook ID, phone number, names, genders, & locations) were publicly accessible.
December 2019, 309 million users' phone numbers, names, and IDs were exposed on the dark web.
Thought I was done?
April 7, 2021: 533 million users' information was publicly available online, including phone numbers, email addresses, location, birth dates, and so on.
At this point... it's pretty safe to assume that your information is owned, or definitely accessible (at the very least), by more than just a handful of people. If this doesn't terrify you, I'm jealous.
But for the rest of us, what now?
Data breaches are not necessarily uncommon anymore, specially not with how little companies care about your privacy, and actively try to abuse it/ profit on it. Though Facebook is the focus of today's tech-letter, today's tech-tool is useful for most-case-scenarios.
haveibeenpwned is the personal project of a man named Troy Hunt. It's honestly a very old project (I remember using this in 2014), so you might have come across it before. The website's main goal is to let a user know
If a company's data has been breached,
If you arepart of the breach.
Based on the image above, you can see that a total of 521 websites have been breached, 11 billion accounts have been affected, and you can even go through a list of the biggest and most recent breaches.
There are a few different ways you can use haveibeenpwned.
A simple search. Enter your phone number (international format) or email, and it will show you:
If you've been pwned,
In how many situations you've been pwned,
Where your sensitive information is currently available (known as "paste"). When I type in my main email address, it shows me that I was part of 10 data breaches (including Adobe in 2013, MyFitnessPal in 2018, and Canva in 2019)
Notify me. Again, breaches are not uncommon. Specially not when you easily have over 50 different accounts online (and can't even remember signing up for half of them). You can let haveibeenpwned send you notifications for if you're ever involved in a future breach.
Pwned Passwords. Let me guess: you either use an easy password, or you reuse the same password everywhere— I get it. But this might (and will) come back to haunt you. haveibeenpwned lets you look up passwords and see if they've been pasted anywhere online.
Note: If your password for xyz website is "123456", it's likely that at least 100 million other people have used the same password for other online accounts, so this feature doesn't necessarily show the password breach being tied to you, as much as the password itself been visible/accessible somewhere online.
With the latest Facebook breach, haveibeenpwned even lets you check for phone numbers. I'm lucky enough that my phone number resulted in 0 pwnage, but my dad wasn't as lucky (image above shows how his phone number was part of the April 7 data breach)
So, your information has been exposed. What are your options? Honestly, not much you can do about the past, but protect yourself for the future.
For starters, unless you actively use Facebook, try to minimise how much you use it, or how much data you give it. Two, and this is my best advice, use a decent "password manager" and stop using the same easy password everywhere. I wrote a very brief tech-letter on Bitwardena year ago, my favourite (free) password manager. Not only does it save your passwords (and is very safe), but can also make up random passwords for you.
Lastly, something I try to do a few times a year is just Google myself, my email, or my phone number. This will really give you a good enough idea on how much of your information is out there. And if any old accounts/profiles pop up that have your information on them, you can take advantage and delete those accounts. If this tech-letter gets good feedback, I might even talk about a tech-tool I use that automatically finds all accounts my email address has been used to create.
haveibeenpwned is a free-to-use data discovery tool that essentially lets you know if your data has been compromised or not. You can enter your email(s) and phone number(s) to see what data breach your information was a part of, check how vulnerable your password is, and even choose to be notified on future data breaches (because I'm sure I'll write another tech-letter about the next Facebook scandal).